ABSTRACT
Using hard-fork mechanism on the blockchain to recover the losses caused by attacks contradicts the immutable characteristic of a blockchain system. To prevent malicious transactions from getting into blockchains in advance, we propose a runtime hook technique to synchronize and analyze the ongoing transactions exposed to the Ethereum transaction pool. Having a complete view of the past and the ongoing transactions, we can identify and enforce abortion of malicious transactions and prevent losses due to attacks being executed and recorded in the blockchain. Specifically, we modify the Ethereum source code to instrument the entry point of a node to synchronize data received from the Ethereum P2P network and systematically scan suspicious patterns in transactions to identify potential attacks. As a proof-of-the-concept, we show how to deploy the proposed runtime hook system on a private blockchain system, such that we can detect and prevent transactions of double spending on the 51% attack and reentrancy attack of smart contracts.
- Sheehan Anderson and Binh Q Nguyen. 2018. Filtering and redacting blockchain transactions. US Patent App. 15/348,581.Google Scholar
- G. Ateniese, B. Magri, D. Venturi, and E. Andrade. 2017. Redactable Blockchain -- or -- Rewriting History in Bitcoin and Friends. In 2017 IEEE European Symposium on Security and Privacy (EuroS P). IEEE, New York, NY, USA, 111--126.Google Scholar
- Nicola Atzei, Massimo Bartoletti, and Tiziana Cimoli. 2017. A Survey of Attacks on Ethereum Smart Contracts SoK. In Proceedings of the 6th International Conference on Principles of Security and Trust - Volume 10204. Springer-Verlag, Berlin, Heidelberg, 164--186. https://doi.org/10.1007/978--3--662--54455--6_8Google ScholarDigital Library
- Vitalik Buterin et al. 2013. Ethereum white paper. https://ethereum.org/en/whitepaper/Google Scholar
- Nicolas Christin. 2012. Traveling the Silk Road: A measurement analysis of a large anonymous online marketplace. arxiv: cs.CY/1207.7139Google Scholar
- ELECTRIC COIN COMPANY. 2019. Zcash Counterfeiting Vulnerability Successfully Remediated. https://z.cash/blog/zcash-counterfeiting-vulnerability-successfully-remediated/Google Scholar
- D. Deuber, B. Magri, and S. A. K. Thyagarajan. 2019. Redactable Blockchain in the Permissionless Setting. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, New York, NY, USA, 124--138.Google Scholar
- Ethereum. 2016. web3.js - Ethereum JavaScript API. https://web3js.readthedocs.io/en/1.0/Google Scholar
- Ethereum. 2020 a. Contract ABI Specification. https://solidity.readthedocs.io/en/develop/abi-spec.html.Google Scholar
- Ethereum. 2020 b. Etherscan API. https://etherscan.io/apisGoogle Scholar
- Ethereum. 2020 c. JSON RPC. https://github.com/ethereum/wiki/wiki/JSON-RPCGoogle Scholar
- Ittay Eyal and Emin Gün Sirer. 2018. Majority is Not Enough: Bitcoin Mining is Vulnerable. Commun. ACM, Vol. 61, 7 (June 2018), 95--102. https://doi.org/10.1145/3212998Google ScholarDigital Library
- M. Florian, S. Henningsen, S. Beaucamp, and B. Scheuermann. 2019. Erasing Data from Blockchain Nodes. In 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS PW). IEEE, New York, NY, USA, 367--376.Google Scholar
- Inc. Intercontinental Exchange. 2020 a. Intercontinental Exchange. https://www.intercontinentalexchange.com/indexGoogle Scholar
- Inc. Intercontinental Exchange. 2020 b. NYSE: The New York Stock Exchange. https://www.nyse.com/indexGoogle Scholar
- Bo Jiang, Ye Liu, and W. K. Chan. 2018. ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering (ASE 2018). Association for Computing Machinery, New York, NY, USA, 259--269. https://doi.org/10.1145/3238147.3238177Google ScholarDigital Library
- Ghassan O. Karame, Elli Androulaki, and Srdjan Capkun. 2012. Two Bitcoins at the Price of One? Double-Spending Attacks on Fast Payments in Bitcoin. IACR Cryptol. ePrint Arch., Vol. 2012 (2012), 248.Google Scholar
- Ghassan O. Karame, Elli Androulaki, Marc Roeschlin, Arthur Gervais, and Srdjan Capkun. 2015. Misbehavior in Bitcoin: A Study of Double-Spending and Accountability. ACM Trans. Inf. Syst. Secur., Vol. 18, 1, Article 2 (May 2015), 32 pages. https://doi.org/10.1145/2732196Google ScholarDigital Library
- Xiaoqi Li, Peng Jiang, Ting Chen, Xiapu Luo, and Qiaoyan Wen. 2020. A survey on the security of blockchain systems. Future Generation Computer Systems, Vol. 107 (2020), 841 -- 853. https://doi.org/10.1016/j.future.2017.08.020Google ScholarDigital Library
- I.-C Lin and T.-C Liao. 2017. A survey of blockchain security issues and challenges. International Journal of Network Security, Vol. 19 (09 2017), 653--659. https://doi.org/10.6633/IJNS.201709.19(5).01Google Scholar
- FMR LLC. 2020. Fidelity Investments - Retirement Plans, Investing, Brokerage, Wealth Management, Finacial Planning and Advice, Online Trading. https://www.fidelity.com/Google Scholar
- Hartwig Mayer. 2016. ECDSA security in bitcoin and ethereum: a research survey. https://blog.coinfabrik.com/wp-content/uploads/2016/06/ECDSA-Security-in-Bitcoin-and-Ethereum-a-Research-Survey.pdfGoogle Scholar
- Satoshi Nakamoto et al. 2008. Bitcoin: A peer-to-peer electronic cash system. https://bitcoin.org/bitcoin.pdfGoogle Scholar
- Mark Nesbitt. 2019. Deep Chain Reorganization Detected on Ethereum Classic (ETC). https://blog.coinbase.com/ethereum-classic-etc-is-currently-being-51-attacked-33be13ce32deGoogle Scholar
- Ivica Nikolic, Aashish Kolluri, Ilya Sergey, Prateek Saxena, and Aquinas Hobor. 2018. Finding The Greedy, Prodigal, and Suicidal Contracts at Scale. arxiv: cs.CR/1802.06038Google Scholar
- Carlos Pinzón and Camilo Rocha. 2016. Double-spend Attack Models with Time Advantange for Bitcoin. Electronic Notes in Theoretical Computer Science, Vol. 329 (2016), 79 -- 103. https://doi.org/10.1016/j.entcs.2016.12.006 CLEI 2016 - The Latin American Computing Conference.Google ScholarDigital Library
- Ivan Puddu, Alexandra Dmitrienko, and Srdjan Capkun. 2017. μchain: How to forget without hard forks. https://eprint.iacr.org/2017/106.pdfGoogle Scholar
- Melanie Swan. 2015. Blockchain: Blueprint for a new economy ." O'Reilly Media, Inc.", California,USA.Google ScholarDigital Library
- HM Treasury, Home Office, The Rt Hon Steve Barclay MP, and The Rt Hon Ben Wallace MP. 2015. UK national risk assessment of money laundering and terrorist financing. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/468210/UK_NRA_October_2015_final_web.pdfGoogle Scholar
- Petar Tsankov, Andrei Dan, Dana Drachsler-Cohen, Arthur Gervais, Florian Bünzli, and Martin Vechev. 2018. Securify: Practical Security Analysis of Smart Contracts. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS '18). Association for Computing Machinery, New York, NY, USA, 67--82. https://doi.org/10.1145/3243734.3243780Google ScholarDigital Library
- Wikipedia. 2020 a. The DAO (organization). https://en.wikipedia.org/wiki/The_DAO_(organization)Google Scholar
- Wikipedia. 2020 b. WannaCry ransomware attack. https://en.wikipedia.org/wiki/WannaCry_ransomware_attackGoogle Scholar
- Rui Zhang, Rui Xue, and Ling Liu. 2019. Security and privacy on blockchain. ACM Computing Surveys (CSUR), Vol. 52, 3 (2019), 1--34.Google ScholarDigital Library
- P. Zheng, Z. Zheng, X. Luo, X. Chen, and X. Liu. 2018. A Detailed and Real-Time Performance Monitoring Framework for Blockchain Systems. In 2018 IEEE/ACM 40th International Conference on Software Engineering: Software Engineering in Practice Track (ICSE-SEIP). IEEE, New York, NY, USA, 134--143.Google Scholar
- Shunfan Zhou, Zhemin Yang, Jie Xiang, Yinzhi Cao, Min Yang, and Yuan Zhang. 2020. An Ever-evolving Game: Evaluation of Real-world Attacks and Defenses in Ethereum Ecosystem. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, California, USA.Google Scholar
Index Terms
- Runtime Hook on Blockchain and Smart Contract Systems
Recommendations
Blockchain and Smart Contracts
ICSIE '19: Proceedings of the 8th International Conference on Software and Information EngineeringThis paper presents an introduction to the current state of art of the Blockchain and Smart Contract technologies. Blockchain is a fast-disruptive technology becoming a key instrument in share economy. The Blockchain-based Smart Contract aim to ...
A Survey on Ethereum Systems Security: Vulnerabilities, Attacks, and Defenses
Blockchain technology is believed by many to be a game changer in many application domains. While the first generation of blockchain technology (i.e., Blockchain 1.0) is almost exclusively used for cryptocurrency, the second generation (i.e., Blockchain ...
Making Smart Contracts Smarter
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityCryptocurrencies record transactions in a decentralized data structure called a blockchain. Two of the most popular cryptocurrencies, Bitcoin and Ethereum, support the feature to encode rules or scripts for processing transactions. This feature has ...
Comments